All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i collect all of my service accounts in AWS Cloudtrails?

JoaoGuiNovaes
Explorer
‎04-15-2025 03:05 PM

In some essential app security aws rules, it requires you to populate the aws_service_accounts lookup to use in exceptions, but I'm having trouble with how I can map all my aws service accounts.

by example: https://research.splunk.com/deprecated/4d46e8bd-4072-48e4-92db-0325889ef894/
in implementation section

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-15-2025 11:55 PM

Hi @JoaoGuiNovaes 

Based on the Enterprise Securtity Content Updater repo (https://github.com/splunk/security_content/blob/develop/baselines/create_a_list_of_approved_aws_serv...) it looks like the following can be used to create the aws_service_accounts lookup:

`cloudtrail` errorCode=success | rename userName as identity | search NOT
  [inputlookup identity_lookup_expanded | fields identity] | stats count by identity
  | table identity | outputlookup aws_service_accounts | stats count

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.

Please validate the service account entires in `aws_service_accounts.csv`,which is a lookup file created as a result of running this support search. Please remove the entries of service accounts that are not legitimate.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

JoaoGuiNovaes
Explorer
‎04-22-2025 09:09 AM

Thanks for the reply! The rule implementation instructions say to run this search every 30 days, but it doesn't say how long I should search. I've already tested searching the last 90 minutes, but it didn't cover even close to what I needed. I tried this time because this search is very expensive and takes a long time. Do you have any suggestions for scheduling time and search period? Another point is that I tried, but I didn't find any way to differentiate service accounts from user accounts based on fields.

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎04-22-2025 03:09 PM

Hi @JoaoGuiNovaes 

I think every 30 days is way too infrequent for this - You would want the service accounts adding fairly soon after they're first seen so the info can be used in other searches.

Personally I would run it more frequently, e.g. hourly, or every 4 hours. I usually look back (earliest) equiv to the time since the previous run minus an extra 10 mins to account for lag, so something like earliest=-70m latest=-10m (60 minute period, running every hour).

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply
Solved! Jump to solution

JoaoGuiNovaes
Explorer
‎06-16-2025 07:33 AM

Thank you! You helped me a lot with the time issue!

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-15-2025 11:55 PM

Hi @JoaoGuiNovaes 

Based on the Enterprise Securtity Content Updater repo (https://github.com/splunk/security_content/blob/develop/baselines/create_a_list_of_approved_aws_serv...) it looks like the following can be used to create the aws_service_accounts lookup:

`cloudtrail` errorCode=success | rename userName as identity | search NOT
  [inputlookup identity_lookup_expanded | fields identity] | stats count by identity
  | table identity | outputlookup aws_service_accounts | stats count

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.

Please validate the service account entires in `aws_service_accounts.csv`,which is a lookup file created as a result of running this support search. Please remove the entries of service accounts that are not legitimate.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...